Assessment
CFSE Consequence Paths assesses Phantom of the ADAS: Projected/Billboard Phantom Object Attacks on Tesla Autopilot and Mobileye at CRITICAL — the worst of 2 risk paths (safety, perception). The dominant consequence is influence over a safety-relevant actuation.
Vulnerability
Phantom of the ADAS: Projected/Billboard Phantom Object Attacks on Tesla Autopilot and Mobileye. Reported attack vector: Physical/optical line-of-sight (projector or compromised/leased digital billboard within camera view).
CFSE Consequence Paths analysis
The vulnerability is decomposed into one risk path per terminal consequence. Each path is scored on its exposure (reachability × execution complexity) and the authority, perception, and physical/safety it reaches, together with its scale of reuse, scale of execution, and recoverability.
DEVICE_CONTROL_SAFETY → CRITICAL
CPATH:1.0-candidate/TT:DEVICE_CONTROL_SAFETY/RE:2/EC:4/EX:2/PH:4/DP:4/AT:2/CH:4/SR:4/SX:3/OR:3/EV:3/LS:MITIGATED
Exposure EX=2 (reachability-bound) · bands PH=CRITICAL · DP=CRITICAL · AT=ELEVATED → base CRITICAL → assessed CRITICAL.
Same positioning and execution as the perception path: proximity optical line-of-sight RE:2, trivial commodity projector/billboard EC:4. Terminal consequence here is the actuation itself — sudden unwarranted automatic braking on a live road, demonstrated on Tesla Model X HW2.5/HW3, with credible potential for rear-end collision or dangerous evasive maneuver — PH:4 (dangerous actuation / credible injury). DP:4 because the trigger is corruption of the safety-relevant camera world model, perception_feeds_action=true. Authority is indirect: the attacker does not gain privilege but coerces the vehicle’s own control output via spoofed input — AT:2 (influence over a bounded actuation, no signing/firmware/fleet-control root). Crosses optical/perception/actuation/safety boundaries — boundary_crossing=true, CH:4 reusable bridge. SR:4 shared model-level perceptual weakness, fully portable. SX:3 one phantom source affects all passing affected vehicles but needs per-location optical placement. OR:3 no single firmware fix; addressed via perception-model improvements, no recall/fleet reprovision required. EV:3 reproduced on production vehicles; LS MITIGATED; no in-the-wild exploitation.
PERCEPTION_TO_ACTION → CRITICAL
CPATH:1.0-candidate/TT:PERCEPTION_TO_ACTION/RE:2/EC:4/EX:2/PH:4/DP:4/AT:2/CH:4/SR:4/SX:3/OR:3/EV:3/LS:MITIGATED
Exposure EX=2 (reachability-bound) · bands PH=CRITICAL · DP=CRITICAL · AT=ELEVATED → base CRITICAL → assessed CRITICAL.
Optical line-of-sight (projector/billboard within camera view) is proximity/local-physical-world positioning, not network — RE:2. Once positioned, attack is trivial single-projection/commodity (consumer projector, ms-long billboard frame), minimal expertise — EC:4. The phantom corrupts the camera-based world model / object-detection input, the safety-relevant perception layer — DP:4, perception_feeds_action=true because the spoofed object directly drives autonomous braking/steering decisions. No software privilege gained; attacker abuses the legitimate perception-to-actuation pathway, inducing the ADAS to take its own bounded safety action — AT:2. Crosses physical/optical -> perception -> actuation/safety boundaries — boundary_crossing=true, CH:4 as a reusable cross-domain bridge from environment manipulation to vehicle control. SR:4: the perceptual ambiguity is shared across every vehicle of the affected model/software, fully portable, no per-vehicle secret. SX:3: one billboard/projector hits many passing vehicles but requires per-site optical setup and line-of-sight, deployment-wide rather than fully fleet-remote/cloud. OR:3: no clean firmware patch removes the ambiguity; mitigated via multi-network authenticity model improvements (GhostBusters) rather than a single fix or fleet reprovision. EV:3 reproduced on production Tesla Model X and Mobileye 630 PRO; LS MITIGATED; not known exploited in wild.
Published baseline
No public baseline score has been published for this finding. It belongs to a design-level harm class that is often outside published vulnerability-scoring coverage. The registry records the reachable consequence path for review.
Sources
- source citation pending public URL